failover

A general question here regarding failover. in the attached diagram, if router1 fails, should the firewalls also failover accordingly? or the traffic would continue flowing based on standby router taking over as active.

A general question here regarding failover. in the attached diagram, if router1 fails, should the firewalls also failover accordingly? or the traffic would continue flowing based on standby router taking over as active.

Thanks in advance.

It's not clear from the diagram exactly how things are interconnected. For example the firewalls do not seem to have an interconnection whereas an active/standby pair of firewalls would have a L2 interconnect for failover.

The routers in your diagram, are they physical routers or L3 switches ? If they are L3 switches and one failed then yes the firewalls should failover as well as long as you are monitoring the inside interface. If they are physical routers and the link was a P2P link ie. there was no switch in between the router and the firewall then yes the firewalls would failover. If there was a L2 switch in between then no they would not.

However it's not clear how any of this would work in your diagram. If the router failed but the firewall did not failover then there is no path from the standby router to the active firewall in your topology.

Replies

A general question here regarding
failover. in the attached diagram, if router1 fails, should the
firewalls also failover accordingly? or the traffic would continue
flowing based on standby router taking over as active.

Thanks in advance.

Attachments:

Hi,

As per th question that depends if router 1 fails traffic will shifted to router 2 but firewall will shift over to other one thatdepends on you configuration of firewall and data flow how you have configured in the network.

If router 1 and router 2 are in HSRP/VRRP active /backup mode then onely router will failover and firewall not.Firewall failover is totally depends on the firewall redundacny configuration which you would have configured in ACTIVE/STANDBY at this stage only one ip will be there for both router to forward the traffic.

A general question here regarding failover. in the attached diagram, if router1 fails, should the firewalls also failover accordingly? or the traffic would continue flowing based on standby router taking over as active.

Thanks in advance.

It's not clear from the diagram exactly how things are interconnected. For example the firewalls do not seem to have an interconnection whereas an active/standby pair of firewalls would have a L2 interconnect for failover.

The routers in your diagram, are they physical routers or L3 switches ? If they are L3 switches and one failed then yes the firewalls should failover as well as long as you are monitoring the inside interface. If they are physical routers and the link was a P2P link ie. there was no switch in between the router and the firewall then yes the firewalls would failover. If there was a L2 switch in between then no they would not.

However it's not clear how any of this would work in your diagram. If the router failed but the firewall did not failover then there is no path from the standby router to the active firewall in your topology.

both firewalls( active/standby) alongwith routers(hsrp) sit on 2 node layer2 switches. In this case if one of these switches were to go down( for eg.),

triggering the router to failover, would the firewalls also failover.

Thank You.

No need to apologise, just wanted to clarify how everything was connected up.

If one of the switches failed then yes the firewall would failover although interestingly the router wouldn't necessarily failover. Routers don't failover in the same way.

The issue you have with the routers is that if the switch dies then the outside interface of the router would be in a down state but the inside interface connecting to your LAN would still be up. So the active HSRP router would be the one with the failed interface. This isn't a problem if both routers are connected to both switches but if the active router is connected to the switch that fails and that is it's only connection then traffic has no way to get to the standby firewall which is now the new active firewall. So you can either

1) connect each router to both switches

or

2) use interface tracking with HSRP so that if the outside interface goes down, which it will if the switch dies, then the HSRP priority is reduced and the other router takes over the active role.

Edit - i've assumed in the above that the switches used to interconnect the firewalls and the routers are not the same switches that the inside interfaces of the routers connect to ie. the LAN facing interfaces. If they are the same switches then yes a switch failure would failover the router as well.